keycloak-scim/server_admin/topics/threat/scope.adoc


=== Limiting Scope

By default, each new client application has an unlimited `role scope mappings`.  This means that every access token that is created
for that client will contain all the permissions the user has.  If the client gets compromised and the access token
is leaked, then each system that the user has permission to access is now also compromised.  It is highly suggested
that you limit the roles an access token is assigned by using the <<_role_scope_mappings, Scope menu>> for each client.
threat 2016-05-31 22:00:59 +00:00
			`=== Limiting Scope`

KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			By default, each new client application has an unlimited `role scope mappings`. This means that every access token that is created
threat 2016-05-31 22:00:59 +00:00			`for that client will contain all the permissions the user has. If the client gets compromised and the access token`
			`is leaked, then each system that the user has permission to access is now also compromised. It is highly suggested`
KEYCLOAK-7075 Client scopes documentation (#389) 2018-06-08 13:39:15 +00:00			`that you limit the roles an access token is assigned by using the <<_role_scope_mappings, Scope menu>> for each client.`
threat 2016-05-31 22:00:59 +00:00